Hi Julien Do you need any additional information? I would like to have a decision on this soon as I really want to get at least CVE-2015-5245 fixed in the next Debian stable release. This is a minor security issue which was defered by the Security Team to a stable update and there was no DSA issued for it. To be able to prepare the upload for the stable release I need to know if you agree to follow the upstream maintenance releases or if I have to do an upload with only the security issue fixed. If I got the timing right, the next point release is still scheduled for 24th January. So there is only little time left to prepare the upload. As this is now undecided for quite a long time I would even prefer a NACK to having this unresolved any longer if you don't feel comfortable with the idea of having the maintenance releases in stable. This way I at least know that I don't have to bother anymore. If you don't want to rush things but are in gernal fine with the idea. I'm also fine with only fixing the security bug now as the time is quite tight and uploading 0.80.11 for the Debian 8.4 point release. Gaudenz Gaudenz Steinlin <gaudenz@debian.org> writes: > [ CCing the upstream package maintainers list ] > > Hi > > Julien Cristau <jcristau@debian.org> writes: > >> On Fri, Sep 18, 2015 at 22:57:27 +0200, Gaudenz Steinlin wrote: >> >>> >>> Hi debian-release >>> >>> Gaudenz Steinlin <gaudenz@debian.org> writes: >>> >>> > Gaudenz Steinlin <gaudenz@debian.org> writes: >>> >> I'd like to update ceph in jessie to the latest upstream bugfix release. >>> >> The version of ceph in jessie is a long term support (LTS) release which >>> >> will receive updates at least until January 2016. Updates will be bugfix >>> >> only. New features go into new release which are developed in parallel. >>> >> See at the end of this report for the upstream changelog. >>> >> >>> >> See http://ceph.com/docs/master/releases/ for the ceph release timeline >>> >> and support statement. >>> >> >>> > >>> > Just as an additional data point, Ubuntu has a "Minor Release Exception" >>> > for stable updates for their ceph package [1]. >>> >>> In the meantime another stable point release of ceph 0.80 (0.80.10) was >>> released and on top of that there is a (minor) security issue which >>> won't be fixed through a security update but which would be nice to fix >>> by a stable update (see bug #798567 / CVE-2015-5245)). >>> >>> As another stable update has passed, it would be nice if someone of the >>> stable release team could comment on this and eventually decide if they >>> are OK with the proposal to follow the ceph stable branch or if they >>> don't like it and would prefer an update just fixing the security bug. >>> It would be nice to have a decision soon, so that there is enough time >>> to prepare and test the update for the next stable point release. >>> >> What does the QA process on upstream's bugfix releases, and on the >> Debian side for the proposed stable updates, look like? > > The QA processes on the upstream side are quite extensive. They run > integration and upgrade tests on a regular basis. They use their test > framework theutology[1] for these tests. Their QA configuration is > available in the ceph-qa-suite repository [2]. > > Unfortunately it's not easy to see how this testing is actually done and > if the tests all pass at release time. Maybe someone from upstream Ceph > can shed some more light on this and explain things in more detail. Some > test results can be seen on Pulpito [3] but it's not clear to me how > these results relate to actual releases. > > The QA on the Debian side is not as extensive. My resources are limited, > but I do run my builds on my own test infrastructure. But I expect the > changes to the Debian packaging side to be fairly minimal. > >> >> So far I'm leaning towards rejecting this request, as I don't want to >> spend that much time reviewing these changes, and as you see we're >> already way behind on stable update requests. > > I don't think it's reasonable to expect the release team to review the > upstream changes. If you don't trust them enough to not break things, > then we should not upgrade the package. On the other hand other major > Linux distribution do trust them enough as I wrote in my initial > request. > > If you agree to do these stable updates they have to be done in a > similar way to the postgres and linux kernel updates. I don't think the > release team or any Debian developer reviews all upstream changes there. > So it's really a matter of trust. > > Upstream also provides their own Debian packages which are always > updated to the latest bugfix point releases. I guess many users use > these packages instead of the packages from Debian because they are > up to date wrt bugfix releases. IMO this is sad as I think Debian should > aim at providing the most useful experience out of the box without 3rd > party repositories. > > Gaudenz > > [1] https://github.com/ceph/teuthology > [2] https://github.com/ceph/ceph-qa-suite/tree/firefly > [3] http://pulpito.ceph.com/?branch=firefly > _______________________________________________ > Ceph-maintainers mailing list > Ceph-maintainers@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-maintainers-ceph.com
Attachment:
signature.asc
Description: PGP signature